On this episode of Most Annoying Forensic Reconstruction Ever, I present to you the raw data structure of WeChat and its incredibly obnoxious use of a decompression dictionary.
WeChat makes it extraordinarily difficult to export one’s chats. This creates obvious and real problems making use of the chats as evidence. Some of the chats show up in the standard message database which can be found here:
/private/var/mobile/Applications/com.tencent.xin/Documents/[uniqueUUID]/DB/message_#.sqlite
The problem is that *sometimes*, *some* of the messages are compressed using their ZSTD (Zstandard) custom trained decompression dictionary. It is not `encrypted` in the traditional sense, but effectively, it is. WeChat doesn’t provide the decompression dictionary to us freely and in fact makes it quite difficult to obtain.
So, without the custom trained *.zstd library, you’re out of luck.
The Android APK does not include the library and standard iTunes iOS backups do not include the dictionary either. It would likely turn up in a GrayKey raw data extraction and maybe in a Cellebrite Advanced Logical.
But, what I know for absolute certain after a ton of trial-and-error is that the dictionary can be found inside of the WeChat.app (as of 8.0.73, anyway) directly from the App Store. As you already guessed, the native/original *.app files are not included in standard logical iTunes backups. The downloads appear in this folder /var/containers/Bundle/Application/[…] and can only be accessed with full filesystem access (rooted/jailbroken).
Inside of that file, you’ll find the MsgDict.zstd in the root, SHA-1: A85A7721A195B2166860A84208310C3B61A94B6C. Note, the file appears to be AES encrypted (has 16-byte block alignment but could be AES +…something else), so you’ll need to use the right software which can make use of it, so make sure to check ahead of time.
I find it most baffling that the engineers went through so much work to obfuscate and encrypt a simple decompression dictionary.